~ 2 min read

How to enforce SSL/TLS for S3 requests using AWS CLI

We will go through the steps to enforce SSL/TLS so that bucket policy prevents the contents of the bucket from being served over plaintext HTTP.

Introduction

AWS S3, apart from providing the ability to perform Server Side Encryption (SSE) for data, also provides the ability to send data over an encrypted transport layer to ensure data protection in transit. This is implemented via a bucket policy with an “Effect”: “Deny” along with the boolean condition “aws:SecureTransport”: “false”. This effectively prevents the bucket’s contents from being served over plaintext HTTP.

Steps to enforce SSL/TLS for S3 requests using CLI

  1. Run the following command to fetch the bucket policy if it exists or not.

    aws s3api get-bucket-policy --bucket <bucket_name>

    If the bucket policy does not exist and a NoSuchBucketPolicy error is returned.

    no bucket policy

  2. If the bucket policy exists but there is no statement with the following structure (only the “Condition” key segment, Action, resource, and effect keys can have different values) and "Effect": "Allow" along with the condition segment then it is not the required policy for HTTPS requests on an S3 Bucket:

    "Statement": {
    "Effect": "Allow",
    "Action": "s3:*",
    "Resource": "arn:aws:iam::123412341234:user/*",
    "Condition": {"Bool": {"aws:SecureTransport": "true"}} # The line that matters for evaluating the misconfiguration
}

  3. Set bucket policy to only allow HTTPS requests on an S3 Bucket

    aws s3api put-bucket-policy --bucket <bucket_name> --policy '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":["<AWS_account_ID>"]},"Action":"s3:Get*","Resource":"<bucket_ARN>/*"},{"Effect":"Deny","Principal":"*","Action":"*","Resource":"<bucket_ARN>/*","Condition":{"Bool":{"aws:SecureTransport":"false"}}}]}'

    set bucket policy

;